Children and Teens’ Online Privacy Protection Act

This bill updates federal online privacy rules for young people by expanding protections beyond children under 13 to now also cover teens from 13 through 16. It clearly defines key terms such as “teen,” “personal information,” “connected device,” “mobile application,” and “individual-specific advertising to children or teens.” Personal information is broadened to include things like persistent identifiers, precise location, biometric data, and photos, videos, or audio files showing a child’s or teen’s image or voice, with a narrow exception for short-lived voice recordings used only to carry out a request. The bill makes it unlawful for an operator of a website, online service, online app, mobile app, or connected device that is directed to children, or that knows a user is a child or teen, to collect personal information in ways that break the Federal Trade Commission (FTC) rules. Operators may not collect, use, share, or keep a child’s or teen’s personal information for individual-specific advertising, and they may not let others do so. Operators can only collect personal information when it fits with the context of the service or is required by law. They must not keep the information longer than reasonably needed to provide the requested service and must give notice if they store or transfer a child’s or teen’s personal data outside the United States. The bill strengthens consent and control. It redefines “verifiable consent” so that, for children, parents must approve data practices, and for teens, the teens themselves must approve, after receiving clear notice. Operators must clearly explain on their sites what data they collect from children and teens, how they get it, and how they use, share, and retain it. Parents and teens gain rights to see what data has been collected, to delete it, to stop further collection and use, and to correct inaccurate information. Operators must maintain reasonable security practices to protect these data. For education technology, the bill allows schools and educational agencies to stand in for parents or teens in giving consent, but only under a written agreement with an operator. That agreement must limit the operator’s data use to educational purposes, forbid other commercial uses, explain what data are collected and why, link to the operator’s privacy notice, and give the school a way to review, delete, or stop further collection of student data at a parent’s or teen’s request. The school must also disclose which operators it uses and share the operator’s notices with parents and teens on request. The bill directs the FTC to update its regulations to reflect these changes. It requires rules that allow parents or teens to ask for deletion or correction of data without losing access to a service, if the service can run without that information. It also clarifies that deletion requests do not override legal recordkeeping duties, law enforcement needs, or security functions, and lets operators keep minimal records to prove they complied with deletion requests. The FTC must study whether a shared “common verifiable consent” system is workable and, if so, can issue rules to allow such a system for multiple related services. Enforcement powers are also clarified. State attorneys general, along with the FTC and banking regulators for insured depository institutions, can enforce the updated rules. The bill explains how regulators should decide whether a company has “knowledge fairly implied” that a user is a child or teen, using a totality-of-the-circumstances test, but it states that companies do not have to add age-verification systems or collect extra age data they do not already gather. The FTC must issue nonbinding guidance on what counts as implied knowledge, and all new regulations must include an analysis of impacts on small businesses. Beyond direct rules, the bill orders several studies and regular reports. The FTC must report annually to Congress on its enforcement of the children’s privacy law, including numbers of investigations, actions, complaints, and any policy or legislative recommendations to improve protections. Within three years, the FTC must also report on how app platforms oversee apps aimed at children and whether those apps follow the law and FTC rules on unfair or deceptive marketing. Separately, the Government Accountability Office (GAO) must study how teens use financial technology products, what privacy risks they face, and whether existing laws are enough, and then report back with any legislative or regulatory recommendations. A severability clause ensures that if one part of the Act is struck down, the rest remains in effect.

This bill would shift how many online services, apps, and connected devices handle data about children and teens. By banning individual-specific advertising based on personal data for users under 17 and limiting when data can be collected, shared, stored, or sent abroad, it could change common business practices for social media platforms, games, ed-tech tools, and other online services that minors use. Parents and teens would gain clearer rights to see, delete, and correct data, which could affect how families interact with schools, apps, and platforms. For companies, especially those that make money from targeted advertising or data analytics, the bill could require new systems for age awareness, consent, data minimization, and security. At the same time, the bill states they do not need to add age-verification tools or collect extra age data, which may limit how they implement compliance. The required FTC and GAO reports could lead to further changes in law or policy over time, depending on what those reports show about enforcement, app oversight, fin‑tech use by teens, and any remaining privacy gaps. For the public and policymakers, the bill aims to modernize a 1998 law to fit current technology, including mobile apps, biometrics, and connected devices. Its real-world impact would depend on how the FTC writes and enforces the new rules, how businesses respond, and whether states choose to add even stronger protections on top of the federal baseline, which this bill allows as long as they do not conflict with federal provisions.

• Extends federal online privacy protections from children under 13 to also cover teens ages 13–16.
• Broadens the definition of “personal information” to include persistent identifiers, precise geolocation, biometric data, and media files showing a child’s or teen’s image or voice.
• Prohibits collecting, using, disclosing, or keeping personal information of children or teens for individual-specific advertising, and bars operators from letting others do so.
• Requires that personal information of children and teens be collected only when consistent with the context of the service or required or specifically authorized by law.
• Limits how long operators can retain children’s and teens’ personal information to what is reasonably necessary to complete a transaction or provide a requested service.
• Requires operators to give direct notice when a child’s or teen’s personal data are stored or transferred outside the United States.
• Gives parents (for children) and teens (for themselves) rights to access, delete, and correct personal information, and to stop further collection and use, while generally preserving access to the service where feasible.
• Requires operators to maintain reasonable security practices to protect children’s and teens’ personal information from unauthorized access.
• Allows schools and educational agencies to authorize data collection for educational purposes under strict written agreements that limit commercial use and provide transparency and access rights.
• Clarifies that deletion or correction requests do not override legal retention duties, law enforcement needs, or necessary security and fraud-prevention activities.
• Directs the FTC to assess and, if appropriate, regulate a “common verifiable consent” mechanism that could serve multiple related operators.
• Requires the FTC to issue guidance on how it determines when an operator has “knowledge fairly implied” that a user is a child or teen, without requiring new age-verification systems.
• Orders annual FTC reports to Congress on enforcement of children’s online privacy rules and a separate three-year report on how app platforms ensure children’s apps comply with these rules.
• Requires the GAO to study teen use of financial technology products, related privacy risks, and whether current laws are adequate.
• Allows states to pass and enforce stronger protections for children’s and teens’ online privacy, as long as they do not conflict with federal provisions.

• The bill does not require companies to add age gates or verify users’ ages, even though many duties depend on knowing that a user is a child or teen; instead, it relies on an implied-knowledge standard guided by FTC interpretation.
• Deletion rights are limited: operators may keep certain information to meet legal obligations, support law enforcement, maintain security, or demonstrate compliance, so not all traces of data will necessarily disappear.
• Schools can authorize data collection from students for educational tools without getting separate consent from each parent or teen, as long as strict conditions are met, which could shift primary control from families to institutions in some contexts.
• The bill allows operators to terminate service to a child or teen who refuses further data collection, but later sections restrict them from cutting off service solely because someone requested deletion, creating a nuanced balance that may be confusing in practice.
• While the FTC must publish safe-harbor program reports online, those publications are still limited by existing confidentiality rules, so the public may not see full details of how these programs operate.
• The law explicitly permits contextual advertising and age-appropriate, non-individualized ads to minors, meaning advertising to children and teens is not banned overall, only certain types based on personal data profiling.